Open-source code repository SourceForge.net has begun automatically blocking the internet addresses of users from countries such as Iran, North Korea, Cuba, Sudan, and Syria in an attempt to enforce a policy forbidding them from downloading free software.
The move infuriated many purists of the free and open-source software …

Pointless

Classic Criminal Protection Racketry as Used Previously by Mobsters ...

.... who have Moved on and into Markets that Control All Such and Much Better Things.

"In a blog post Monday, SourceForge didn't say what prompted the move, but it did claim the change didn't sit well with the organization's ideals."

Some Bullying Idiot Boy, NSL, probably, from some Intellectually Challenged Terrorising Radicalised Imperial Fundamentalist Gagging Order in Dire Straits Need of Specialised PsychoTreatment in a Secure and Remote Environment, if and when it is a case of they can't or won't say because then they are to be hit with the Patriot Act Blunt Instrument and Private Club for Enforced Trauma and Delivered Chaos.

What's SF got against Rugby?!

Difficult to understand the thought process

Okay, so they must realise that this won't stop anyone with a bit of nous and/or determination from accessing any hosted code they want. At best it might be a hindrance to someone with a casual interest.

So this must be one of those "send a message" things. Who is the message for, I wonder?

I can't help thinking that this has precious little to do with Sourceforge and a lot more to do with the bully-boy diplomacy of the USA. Which means it's a bloody shame.

"One" is wrong

"One person commenting on the SourceForge blog argued the restriction is a violation of Section 5 of the open source definition which states licenses must not discriminate "against any person or group of persons." "

"One" is obvisouly completely off mark.

Any provision in a contract or licence that is illegal is of course superseded by law.

If the Law in the US says you can't distribute to Iran, then you can write whatever you fucking want in your licence, the licencee can ignore whatever part of the licence would force you to do something illegal.

Example: I buy a yogurt. The yogurt company proposes a contract whereby I can get 10c off if I agree to kill my neighbour.

Well, tough luck yogurt company, one side of the contract is void, and the other is not. Hence not only do I not need to kill my neighbour, but I'm still entitled to the 10c, even if I agreed I could have them only as a counterpart to killing my neighbour.

I am convinced the law is the same for licences, and you can just ignore the parts that would make you do something illegal, and still keep the rights to using the licence, as long as you comply with every legal provision in it.

To sum it up: "Section 5 of a document written by a guy (even a genius guy) Vs The Law, The Law wins"

Of course...

The US law is not the world's law. SF is, I guess, legally required to prevent users in said countries from downloading from their US servers.

Since we're talking about Open Source, anyone can take that content, mirror it in another country that doesn't have a silly restriction on software exports, and the "bad guys" can have all they want legally.

I get the distinct impression a large closed source software vendor was behind this in some way - the countries involved are known to be quite keen on open source/cheap software.

OS licenses don't oblige distribution

Accepting an OS license doesn't oblige someone to distribute software. The only obligation an OS license of the copyleft kind creates is to ensure a distributor who makes binaries available also makes source available to those to whom binaries are distributed.

The fact that US law prevents distribution of some or all software to a list of countries doesn't prevent anyone outside the reach of US law from doing so.

Law

SourceForge are simply complying with the law of the land (in this case, that land is the USA). Judging from the the tone of the SourceForge announcement, it seems likely that someone (maybe from some branch of the US government) pointed out that they might be deemed to be assisting terrorists if they did not adjust their policies.

Perhaps some of those who responded so vociferously to SF's announcement may step in to offer a service to download and forward files to individuals on the various lists. Of course, they may want to consider the legality of such an offer and ramifications for their own freedom, career, etc. Given the state of US-UK extradition, I guess that would apply to UK residents as much as to those in the USA.

Smoke and Mirrors

I would have thought that the obvious solution would be for the stuff in question to not be available from mirrors hosted in countries where these laws apply, and to be freely available on mirrors in countries where these laws do not apply. It seems that many people (not just US law makers) tend to forget that US laws only apply in US jurisdictions.

Publish and be damned

Am I missing something?

Sourceforge has banned these countries because they: "barred people from uploading and downloading code if they reside in countries on the US Office of Foreign Assets Control sanction list."

Surely that only applies to US territories. Mirrors in more liberal jurisdictions shouldn't be affected. As there are unlikely to be high speed lines from Cuba to the US (apart from the ones from Gitmo) it would be faster for Cubans to download from a South American mirror anyway, and Korea from China or Japan, etc.

Here be titles

They do mention uploading code too, so perhaps there has been some concern about people from Countries-The-US-Doesn't-Like uploading malware or trojan code, or introducing backdoors that the US isn't aware of through security systems and doesn't want anyone else to have, so has applied some strongarm tactics?

Or maybe they don't want the 'bad guys' to have non-US-sanctioned (ie, strong) encryption code that someone else in the world might have written.

Uploading code

> ...uploading malware or trojan code...

You do understand the principles of open source, right? That what is contributed is the human-readable SOURCE code that one takes and runs through a compiler oneself? [1] There's zero chance that someone can *hide* malware in open source software. Perhaps you mean that Sourceforge is a clearing house for malware, but that allegation would need some citations, please.

There's plenty of strong encryption tools available planet-wide without needing to download from sourceforge. The USA lost that battle a long time ago. Besides, nobody has ever found any terrorists who are using strong encryption.

[1] OK, Sourceforge does host binaries and installation packages, too. You use them if you trust them.

If they are serious on open source

Where does it end?

It seems a silly idea to follow US policy as your on a slippery slope to start with...

I don't see the point as people will just use either an open proxy or TOR to get around it or download from another source altogether (no pun intended).

Personally I think Sourceforge should reverse this as they may end up blocking the whole of Africa whilst their at it as there are some Islamic nuts in Yemen and Somalia and this would hinder the uptake of open source where is should flourish..

@Phillip Webster

SourceForge's headquarters and central repository (IOW, the hub of SourceForge) is located in the US. Any company with a US presence is subject to US law (as described in the US Code) regardless of its international presence (IOW, you play in the US, you play by US rules--if not, don't play in the US). Trying to move the hosting of controversial content offshore to get around the law is probably itself covered under US law which is why it isn't being done (and if you're wondering about Wikileaks, I don't think their headquarters is in the US).

Server location irrelevant

Alas the server location is irrelevant. A countries law can apply anywhere on the planet if the government so wishes. Obviously enforcement can be an issue, but that's by the by.

If the USA has a law making it illegal to sell cats anywhere in the world, and you sell a cat in the UK, they can still arrest you on entry to a US territory. If this law is considered to apply anywhere on the planet (i.e. you go to Pakistan, give some dodgy guy some useful code, return to the USA and get nicked) then anyone going to or through any US territory is in the shit (c.f. internet betting).

It sounds like someone "reminded" SF of this and so - having common sense - they obliged. Yes, it's bully boy tactics, but SF aren't there to fight ideological battles about anything other than open source.

No, it's not going to stop anyone with half a brain accessing SF. I imagine most of the "rogue states" have a nice collection of bots around the world, and definitely including in the US. That place has more infections than Paris

Well, they could use a bot or a proxy ...

Or they could just ask a friend. If any of my acquaintances in Cuba wants a tar ball of something from SourceForge they have only to ask. I don't think there's anything in the laws of my country that would prevent me from helping in that way, and even if there were it's not like I'd care.

Of course, a large proportion of projects on SourceForge which aren't crap are also available from other web sites or mirrors.

Bingo!

Source Forge is now in compliance with US law. And as long as the bad guys don't make it obvious to Source Forge that they are downloading via proxy, Source Forge doesn't need to take further action. Yes, it is stupid, but those are the games you play with stupid laws.

Land of the Free?

So what this really means is;

RE: Mirrors

Setting up mirrors outside the US wouldn't work. The law on exports doesn't just cover direct exports, it also covers exports made via a third party/place where you know the final destination is a place not allows to receive them. So if SF were to set up a mirror that allowed free downloads to these 5 countries, then they would still be acting illegally - and the same is someone else set up a mirror and SF knew what was going on.

Since it would be hard to mount a defence (lets face it, it would be really hard for tech savvy people like those running SF to claim ignorance), then they really couldn't allow it.

On the other hand, if end users use technical measures (such as onion routing) that are hard for SF to spot, then SF are reasonably off the hook.